Getting started: ASA5520 w / AIP - SSM
I'm trying to deploy an ASA5520 to a customer. I have no problem with the piece of implementing firewall, but I don't know where to start with the piece of IPS.
I searched a bit on the ASA55XX & AIP - SSM, but can't seem to find much on what to do with the AIP - SSM beyond the initial Setup.
Can someone point me to some beginners IPS documentation that focuses on the AIP - SSM?
Thank you
Jeff
In my view, there is a lack of documentation on how to get the IPS module to work with the ASA. It would be nice if there was a single document on how to get IPS working module with the ASA.
Start with the documentation of the IPS. It's just on how to configure the IPS himself module. Assign an IP address for management, set the admin password, etc..
http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids12/index.htm
Then go to the documentation of the SAA on how to configure ASA to send traffic to IP addresses (via a service-policy):
http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids11/cliguide/clissm.htm#wp1033926
There is a free viewer of IPS Cisco event offering to monitor events on the IPS. It can be downloaded from the download page of the Cisco IPS software.
Finally, read the whitepaper SAFE on the deployment of the IPS and the setting.
I hope this helps. Remember messages useful rate. Thank you!
Tags: Cisco Security
Similar Questions
-
do not get traffic of ASA AIP-SSM-20.
Hello
We have Cisco ASA 5510, and we recently added Cisco AIP - SSM. We have configured the sensor and did as well as ASA also but we don't get newspapers in ADM please help me on this.
Please find attached Sersor Configuration and version of the IPS and ASA module.
Kind regards
Nathalie. M
On the SAA, you need
access-list aip-acl extended deny ip any any
class-map aip-class
match access-list aip-acl
policy-map global_policy
class aip-class
ips inline fail-open
service-policy global_policy globalso that it sends traffic to the agreement in principle for inspection.
I hope it helps.
PK
-
I ASA5520 with AIP-SSM-10, and I want to send messages from IPS sensor to the external syslog server. I'm not able to find, how to configure it.
Thank you for any suspicion.
From now on, SSM modules cannot be configured to send events as syslogs to a syslog server. You can send these events to the spectators of the event or security monitor.
Kind regards
Maryse.
-
AIP - SSM 10 Signature Update license?
Hi every one.we had an AIP - SSM 10 for our asa5520.actually it is bundle asa5520 + AIP-SSM10. (part number ASA5520-AIP10-K9 =)
(1) I want to know that if we want to improve our signature aip - ssm we get the Services Cisco IPS download signatures or not with this number of pürt we get it too!
(2) in the case and we must get the Cisco IPS services separately so where can I find a reference number for the services of this?
(3) what license that must be installed on the sensor activation? If we get the Cisco Services for FPS then we receive license activation for installation on sensor too? or not if not, can we install signatures on a sensor that it has not been activated yet? guess we can get a few signatures how! (I know JOINT-2 we cannot install any license until the license is installed on the sensor.) Thank you
CON-SU1-AS2A10K9 would be the correct contract to put all the pieces of the boot under the maintenance contract.
CON-SU1-ASIP10K9, this is what is used when the AIP-SSM-10 are purchased as spare.
I don't know if yes or no this Service Cisco IPS contract can be used to cover only the AIP-SSM-10 if it was purchased as part of a package instead of a spare part. You will need to ask your reseller or Cisco sales representative.
-
(ASA) AIP - SSM 10 Inline; Supreme events?
A 5520 ASA with SSM-10 GOAL is set to inline mode, but the events of the show for 2 hours (sensor > HS event past 02:00) of the Interior of the sensor shows and "promicuous mode", "left promicuous mode'."
This AIP SSM - 10 has only one gig0/0 and gig0/1 where o/o is taken out of service and a value default virtual sensor (vs0) is assigned to gig0/1. I see the statistics (sensor > sh SEO-engine of analysis) to gig0/1 so I collect statistics.
If the configuration of the ASA 5520 has the following policy of inline and events log shows that enter and exit in promiscuous mode so how do I check if I am inspection/recovery in inline mode?
(ASA > sh run access-list IPS)
IPS list extended access permitted ip DMZ 255.255.255.0 26.26.1.0 255.255.255.0
(ASA > sh run | b class-map)
class-map IPS
corresponds to the IP access list
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the waas
inspect the icmp
class IPS
IPS inline help
!
global service-policy global_policy
(sensor > sh interfaces)
...
Statistics interface GigabitEthernet0/1 MAC
Function of interface = interface detection
Description =
Support type = backplane
By default Vlan = 0
Inline = unpaired mode
Pair of status = n/a
Circumvention of Capable hardware = no.
Twin derivation material = n/a
Link status = upwards
Link speed = Auto_1000
Link Duplex = Auto_Full
Lack of Packet percentage = 0
Total packets received = 95044
Total number of bytes received = 8715230
Total multicast packets received = 0
Total of broadcast packets received = 0
Total fat packets received = 0
Total sousdimensionnés packets received = 0
Receive the total errors = 0
Receive FIFO overruns total = 0
Total packets transmitted = 95044
Total number of bytes sent = 9047702
Total multicast packets sent = 0
Total broadcast packets sent = 0
Total fat transmitted packets = 0
Total packets transmitted sousdimensionnés = 0
Total transmit errors = 0
Total transmit FIFO overruns = 0
sensor > sh events last 02:00
evStatus: eventId = 1203360411830836145 = Cisco vendor
Author:
login host: ASA2_IPS
appName: kernel
appInstanceId:
time: 2008-02-20 19:01:46 2008/02/20 19:01:46 UTC
syslogMessage:
Description: device ge0_1 entered promiscuous mode
evStatus: eventId = 1203360411830836146 = Cisco vendor
Author:
login host: ASA2_IPS
appName: kernel
appInstanceId:
time: 2008-02-20 19:01:53 2008/02/20 19:01:53 UTC
syslogMessage:
Description: the promiscuous mode device ge0_1 left
The left State events and entered promiscuous mode are usually generated when you do a 'package of display' or 'the capture of packets' command on the CLI of the sensor.
Track order of the package is promiscuity but is independent of promiscuity or inline followed by analysis of the probe engine.
If you have inline monitoring using the probe analysis engine.
And still make command package to the cli for your own monitoring promiscuity of those same packets. Here are 2 independent monitors of the same packages.
If I remember right inline monitored packets always get returned to the ASA (unless expressly denied), which is not promiscuous packets. So check sensors gig0/1 interface statistics and the number of packets for transmission. If receive and transmit accounts are quite close, then packets are monitored by the analytical engine InLine. If the number of transmission is nil or very low then the packets are likely promiscuous monitored.
With the configuration of your ASA you are correctly configured for online tracking.
So I don't think that you are investigating inline, and status messages are specific to your start and stop of the command 'package' on the CLI for your own independent viewing packages promiscuity.
-
AIP - SSM recreate the image in secondary ASA 5500 (failover) with virtual contexts
Hello guys,.
The scenario is as follows:
2 ASA 5500 with virtual contexts for failover.
The ASA elementary school has the work of the AIP-SSM20.
ASA school (which is in active / standby) has its SSM20 AIP to work now and everything is in production.
Someone tried to configure this 2nd AIP - SSM, changed the password and lost, so I tried to re - the image (without authorized passage recovery), but the connection fails on the TFTP server, where is the image of the AIP - SSM.
Now questions, documentation Cisco re-imaging view orders under ASA #.
but as this scenario has several virtual contexts the ASA # shell contains no IP address as you know (which I suppose is the reason why the ASA cannot download the image from the TFTP server) and switch to another context (ASA / admin #) re-imaging commands do not work (hw-module module 1... etc...).
What is the solution? Is there documentation for it (with security contexts)?
Thank you very much for reading ;) comment on possible solutions.
Yes,
Some things to keep in mind.
(1) run 'debug module start' on the SAA before running the command "hw-module module 1 recover boot. This will show you the ROMMON of the MSS output as it tries to make the new image and you can look for any errors.
(2) before trying to download from the SSM, first use a machine separate download tftp from your laptop. This will ensure the TFTP on your laptop works and confirm what directory (if any) that you can use as the file location.
(3) if the tftp download does not SSM, then the SSM is unable to properly connect to your laptop. You need a crossover cable to connect your laptop to the SSM. If you have a crossover cable, then you could try to connect the MSS and your laptop to a small hub, or configure a new vlan on your switch with only 2 ports and connect the MSS and your computer laptop this vlan 2 port.
(4) also try the download first at the end of the gateway to 0.0.0.0 since your laptop and the SSM will be on the same subnet. If this does not work then you can try a non-existent 30.0.0.4 address as gateway.
(5) understand that the IP address that you specify for the MSS using the command "configure the hw-module module 1 recover" is just temporary for download. Once an image is installed, then sitting at the module and run the "setup" command in order to configure the permanent address you want ure on external port of the SSM. This address in the "setup" command can the same as that used in the command 'get the 1 hw-module module configure' or a completely new (as in your case). Just make sure that you connect to the network just to what address you give.
-
AIP SSM - application of physical port
Hi all
I have an ASA5520 with the AIP SSM module.
I would like to get a quick check on 2 things.
- Module AIP-SSM MUST have a physical ethernet port plugged in order for IPS to function?
- Module AIP-SSM IP address must be on a different IP range like ASA5520 interfaces. ?
Please correct me if I'm wrong.
As I have it a deployment of ASA + AIP, but due to the imitation of physical port on our network & IP; We are not able to answer for the AIP module.
Please notify.
1. physical ethernet port must be plugged in and connected to the network for management purposes. To manage the AIP itself module for the GUI of IDM.
2. No, it didn't need to be on the different range of IP addresses as the interface of the ASA. It's just another IP of your network, and it must be connected to the network via its management port (physical port located on the IAFF himself module), it may be on another subnet within your ASA interfaces.
The only way that you can manage the AIP via the GUI (IDM) module is via its physical port. However, if you are happy to set up and manage the module AIP via command line, you can always just session through the ASA command line, however, it can be annoying AIP CLI management.
-
AIP - SSM maintenance of Configuration in Active mode Stdby
So, I'm pretty new to the AIP - SSM but not for the ASA. It seems that very few of the AIP module configuration gets copied to the AIP Stdby, nothing else that what appears in the config of the ASA (ACL, etc.). Thus, all elements of specific configuration for the module itself must be manually reproduced on Stdby module, either entered hand or config copies moved between the two?
Planned in the future.
-
Hello
Scenario of
2 networks
outside the network ALL
inside the 192.168.1.0 network
How can I simulate the work of AIP - SSM at the back of the firewall?
My version.
test access extended list permits all ip 192.168.1.0 255.255.255.0
the class map test
match name of group-access test
the policy-map test
the class test
IPS inline help
Expected that all comments
Thank you
Leo
My expertise lies in the IPS and not the firewall. My knowledge of the firewall is quite limited in what it takes to get the packages to the SSM.
SO I'm not sure what the ACL are applied before the decryption or after decryption.
If you want to know at what stage the ACL are applied, you need post a message on the forum of firewall.
I was just trying to show that all firewall features (whatever they are) would be on the package before sending it to the SSM with the exception of encryption and the final drive.
-
Try to upgrade an AIP-SSM-20.
We have 2 ASA in a failover configuration, upgrade on the AIP-SSM-20 secondary has been a success.
On the primary AIP-SSM-20, we get the following error when you try to upgrade via FTP from the same server that we have updated the secondary SSM module of:
execUpgradeSoftware: permission denied
The current version is 1,0000 E1, tyring 4,0000 E1 upgrade
We tried when the module is active and when it's not... same error in both directions. Doesn't seem to be a user FTP error since we get a different when error deliberately hits the user or password.
Our SSM user has administrator privileges (cisco default user) and we tried to restart the SSM... no luck
Anyone has any idea on this?
Thank you
John Stemke
I don't know if the error is generated by the sensor itself, or from the ftp server.
To discover the try running a sniffer of packages on the ftp server or the 'package' command on the CLI for the command of the probe and control interface.
Run the command to upgrade and see if a ftp connection is still attempted by the sensor.
If no ftp connection is attempted, then the error would be to the sensor itself, and it would seem that the user doesn't have permissions admin (which doesn't seem to be your case by what you wrote).
If the ftp connection is attempted, then the error is probably coming from the ftp server. Look at the packages that you have captured and see if an error is coming from the ftp server. The problem may be a permissions issue on the file on the ftp server. The ftp directory or the file itself may not have read permission for the file.
You can also try a ftp from your own desktop to the same ftp server by using the same user and password used for the sensor and see if you can download it on your own desktop.
As a work around to get your updated sensor to update and work on this authorization the problem is later to copy the upgrade on your desktop.
Run IDM and use IDM to repel the upgrade of your desktop directly on the sensor.
-
The ACE IPS Cisco and Cisco ASA AIP - SSM (IPS)
Is there a difference between the features offered by the Cisco ACE IPS and Cisco ASA AIP - SSM (IPS) devices?
Can we do without Cisco ASA AIP - SSM (IPS) of 'only' configuration/implementation Cisco ACE IPS.
Cisco AVS/ACE emphasis on commissioning and to secure web-based applications. IP addresses do not focus on just the web applications and trying to get the multiple layers of the OSI stack. Consider the IPS as a general practitioner and the ACE/AVS as an eye surgeon, or something :)
Here is the response from Cisco itself:
Q: how is Cisco AVS Firewall application differs from an intrusion prevention system (IPS)?
A. IPSs are solid solutions of protection against targeted attacks of known vulnerabilities in major platforms such as Windows, Solaris, Apache or Microsoft Internet Information Services (IIS). Cisco AVS excels to protect against targeted attacks Web sites or enterprise applications. These applications can be built custom internal applications or software vendor. Signatures and security patches are generally not available for these types of applications, and building these security levels in each application, it would be almost impossible.
Q: how is Cisco AVS Firewall application differs by a network firewall?
A. The Cisco AVS 3120 and Firewall network such as the Firewall of Cisco PIX® and Cisco ASA 5500 Series Adaptive Security appliances are complementary products. The application Cisco AVS Firewall secures Web applications; excellent network in the network security firewall. and the Cisco AVS provides defense in depth for Web applications.
Firewall network apply policy networks, IP addresses and ports; they have a wide range of application for many different protocols layer features. The firewall can and will be deployed in many locations, including the edge, edge of the enterprise network, branch, etc. Cisco AVS imposed the policy on data HTTP as URL, headers and parameters. Cisco AVS is deployed in the data center in front of Web applications
Concerning
Farrukh
-
Physical connectivity of ASA AIP - SSM
How the physical connectivity of ASA AIP - SSM should be in the case of inline interface mode of inspection for all interfaces of the firewall. ?
Rgds.
Assuming that 'interface_policy' has "inline ips" in the policy, then yes your configuration is correct.
Keep in mind that 'GigabitEthernet0/1' being assigned to vs0 is the background interface of basket of the MSS itself and should not be confused with the external interface GigabitEthernet0/1 of the SAA.
As for using several virtual probes, it is a personal choice.
When you use an ASA with just a single context, then usually a single virtual sensor is sufficient. It's only when you want to follow for traffic coming from firewall interfaces (or different classes of traffic) If you want to use several different virtual devices.
However, when you use an ASA with multiple security contexts, then it is usually a good idea to go and use a virtual sensor separate from the context of the ASA.
If you choose to use several virtual devices, you must understand that the background basket interface GigabitEthernet0/1 are only awarded to only 1 virtual sensors.
Here is an explanation of how the other virtual sensors would get traffic:
When packets are sent to DFS for monitoring ASA, ASA includes a special header in each packet. Special information such as the framework of the SAA whence the package, the real and NAT/PAT package addresses, and a few other things. An important field of this header is for the virtual sensor. He tells the SSM which virtual sensor must monitor this package.
When the ASA is configured without using the names of virtual sensor, this is a virtual sensor in the package header field is blank. If the SSM sees a package with the field left blank it will check the DFS configuration to see which virtual sensor GigabitEthernet0/1 of the SSM has been assigned and that sends the packets to the virtual sensor.
If ASA has been configured to send the packet to a specific virtual sensor (be it by adding the name of virtual sensor at the end of the "inline ips" entered configuration or by using the configuration entries "allocate ips" in the context of system configuration) then the ASA will include the virtual sensor in the header of the packet. The SSM will read in this area, and instead to send the virtual sensor where Gig0/1 is assigned, it will rather send to virtual sensor specified in the header of the packet.
Indeed, it overrides the assignment Gig0/1 and will lead to what ever virtual sensor has been specified by the configuration of the SAA.
-
Hi all
I need help. I'm setting up my 3.1 CSM to apply the update on my IPS AIP - SSM.
I went to the FPS tab apply and choose Update cisco.com. But it's still as treatment for a long time.
I tried to enter my username and password for the sensors or account of the BCC but still no improvement. Anyone know how to configure it. I tried to read the user guide there is no examples.
Thank you
The two IPS - K9 - 5.1 - 8.pkg abd IPS-SSM_10-K9-sys-1.1-a-5.1-8-E3.img will recreate the image on the partition recovery and the application partition.
The System Image will erase everything before starting the imaging process.
The Service Pack Upgrade file will first of all take the current configuration and convert it to work with the new version and save off the coast. Also several other special folders on the sensor (for example, the license file) will be saved off the coast. The imaging process will run and then the saved to the large files will be automatically applied to the probe.
-
AIP SSM-10 - how to check traffic being passed for inspection?
Hello
I've implemented an AIP - SSM on our ASA5510 for the first time, as a result of this excellent guide, http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml.
The difference between the environment used in the doco and ours are the specifications of our ASA and module, the following IOS version 8.0 (4), version ASDM is 6.1 (3), the version of the application of SSM is 5,0000 E2.
I have followed all the steps to enable connectivity to the module of the ASDM, created the access list to allow all ip traffic to be transmitted to the inspection module, map of the class and the political map indicating promiscous mode, relief. The service policy is applied throughout the world.
The problem I'm having is that when I try to check as indicated on the guide to the alert of events see the command on the CLI module I don't get any output, so I don't know if the traffic is passed to the module. Can someone plese help me clarify this?
Kind regards
Esteban
Run 'show conf' on your AIP SSM CLI. Check interface GigabitEthernet0/1 basket of the MSS background assigned to sensor virtual vs0.
If it does not, then run "setup" and towards the end of the installation wizard, there will be an option to change the interface and the virtual sensor configuration. Use this option to change the configuration for sensor virtual vs0 and in the interface.
You can also run "show stat vs0 virtual sensor" to see the number of packets being crawled by vs0.
-
Configuration of AIP SSM to monitor only
Hi all
We bought an AIP-SSM-20 for our ASA5520. Is there a way to enable the IPS feature, but not block anything, i.e. just record events? It's just to see if any legitimate business traffic will be blocked.
Thank you!
Jacques
Set the ASA to send traffic to IP addresses in promiscuous mode by using the following command in a sheet of policy:
IPS hostname(config-pmap-c) # {inline | promiscuity} {failure-closing |}
rescue} [sensor {sensor_name | mapped_name}]
http://www.Cisco.com/en/us/docs/security/ASA/asa80/Getting_started/asa5500/quick/guide/aipssm.html
Geroge
Maybe you are looking for
-
I used an icon on my desktop to access our e-mail account. The icon no longer works after upgrade to Windows 7
-
My icons and fonts are great for my screen
my icons and fonts are big for my screen. In addition, they are everywhere. I tried to make them smaller and not luck.
-
EditField - cursor stuck in the field
Hello I have an EditField which changes color on onFocus and onUnfocus. What is strange, is that the slider 'stuck' in the EditField whenever I move (using the trackball) in the field. I am not able to move out of the EditField until I hit the ESC
-
Why is my illustrator file exported pixelated?
Hi allI created a logo in illustrator, but every time that I exported the image or images and logos of text they appeared pixelated. I also tried the options "save for web" and nothing seems to have worked. Is there something that will help with th
-
I'm trying to broadcast 8 balls on the scene with an irregular space between them within a range. using variable myNum in this statement ball.x = 150 + i * myNum; inside the for loop I jumps that it spreads to each 8 balls in a unequal space. However